[Samba] LDAP_MATCHING_RULE_IN_CHAIN no longer working after upgrade?

Jonathan Hunter jmhunter1 at gmail.com
Wed Nov 29 22:54:55 UTC 2023 

Thank you Yohannès, that's really useful information.

On Wed, 29 Nov 2023 at 14:22, Yohannès ALEMU <yalemu at tranquil.it> wrote:
> > Reminder of my original LDAP query:
[..]
> >      (memberOf:1.2.840.113556.1.4.1941:=CN=mygroup,OU=myou,DC=mydomain,DC=org)
>
> I came across the same/similar issue yesterday and found the origin that
> triggered the issue (at least in my case). I've added a response to your
> bugzilla entry [1].
>
> To make it short, if you have a GPO where "Authenticated Users" security
> token has been removed from the ACE, then the
> memberOf:1.2.840.113556.1.4.1941 OID does not works anymore for anyone
> but "Domain admins" members...

I do definitely have GPOs without "Authenticated Users" access.
Unfortunately I can't add 'Authenticated Users' in my live environment
to test, as those GPOs are applied based on group membership rather
than position in the tree.. although I could perhaps figure out how to
add "Authenticated Users" programatically in my docker test
environment in order to test this more definitively (I have a few OUs
in this state, so I'd need to have a command-line way to list them and
then to add the permissions).

I wonder if my issue is slightly different though (although probably
still related), as in my case running my query as even the domain
Administrator still returns no results.

My current theory is that it may have something to do with one of the
users that should be returned as a search result to my query, also
being a member of a group that's inside a separate part of the tree
with restricted permissions (i.e. only specific users can access that
OU, not including Administrator). But I don't know enough about the
internals of how the LDAP_MATCHING_RULE_IN_CHAIN search is implemented
to know exactly what's going on..

On my todo list is to work out a way to programatically recreate some
of my scenario in a fresh domain, and see if the issue still persists.
If I can get that working, at least we'll have a testable scenario
that anyone can use, without needing a backup of my domain to
reproduce it. That's likely to be a longer term goal, but I am willing
to try if there's no other way to figure this out..

Thanks!

Jonathan

-- 
"If we knew what it was we were doing, it would not be called
research, would it?"
      - Albert Einstein

More information about the samba mailing list